Expert Article By: Nicolai Solling, Director of Technology Services at help AG
The firewall has long been vanguard of enterprises’ efforts to effectively protect their networks from the multitude of internet threats due to unauthorized access. A December 2011 Gartner report estimated the firewall market at $6.3 billion, up from $5.9 billion in 2010 . In its simplest form, a firewall is a means of access control- preventing outsiders from accessing private company data and controlling what external resources the employees have access to.
According to Nicolai Solling, Director of Technology Services at help AG, traditional firewalls, introduced as far back as the mid-1990s have limited visibility into the contemporary Web-based network landscape. Thanks to the explosive popularity of Web 2.0, application delivery is now possible through a variety of means- AJAX based applications, Java based applications, Hypertext Preprocessor (PHP), Active Server Pages (ASP) and .Net. When it comes to controlling such applications, a traditional firewall just doesn’t make the grade.
What are Next Generation Firewall
Next Generation Firewalls (NGFW) combine the features of traditional firewalls along with Intrusion Prevention, application identification and control, and user and group policies into a single high-performance application. These firewalls are ‘application-aware’ in that filtering is based upon the type of application or traffic traversing the ports.
These devices can even discriminate between applications that share the same port allowing enforcement of highly granular policies such as- permitting Facebook access while blocking its gaming applications or blocking file sharing applications or proxy services- all while permitting the flow of HTTP traffic through the firewall.
Apart from addressing security concerns, something that is implicit in the nature of the firewall, NGFWs also offer bandwidth control. Because of application awareness, NGFWs perform QoS functions, so higher priority applications are accorded a higher percentage of bandwidth. In the Middle East, where the cost of bandwidth is still prohibitively high, a device which addresses this concern in addition to its primary functionality is a welcome solution.
Wait, didn’t Unified Threat Management Systems make similar promises?
Many of the features of NGFWs were first promised by Unified Threat Management (UTM) which in many ways failed to live up to the marketing hype. UTM systems have inherent performance issues when enabling advanced security features. These are due to the fact that UTM systems are just classical firewalls and while they offer bolt-on features such as antivirus, IPS and URL filtering, the basic processing of packets is still done in sequence.
One of the reasons companies are weary to jump on the NGFW bandwagon is because they burned their fingers with UTM solutions and are afraid that NGFWs too will raise from similar performance issues. However since NGFWs classify traffic based on signatures and perform security inspection in parallel, they do not suffer from the same pitfalls of UTM systems.
Next-generation firewalls are the logical evolution in access control and enterprises are well aware of this. The same report by Gartner predicted that next-gen firewalls will comprise 35 percent of the installed firewall base by the end of 2014 and will account for 60 percent of all firewall purchases.
Migrating to Next-generation firewall technology
As the disparity between budgets and expectations continues to grow, IT departments today are asked to do more with less, which is why next-generation firewall technologies are an attractive option, both from a technical as well as a financial perspective. Next-generation firewalls perform multiple functions such as IPS, URL filtering, proxies and network antivirus thereby eliminating the need for separate devices for each of these which in turn brings about significant reduction in operational expenses.
When migrating to next-generation firewall technology, customers must be aware of the new features so as not to lose out on any of the functionalities offered. Choosing the right partner for solution implementation is just as vital as selecting the right product. A lack of partner competency could translate to a NGFW which isn’t performing at it full potential or, in a worst case scenario, technical issues during the implementation.
One thing organizations need to ensure is that the firewall software supports sufficient features for the rules migration from legacy firewalls. Many enterprises are still required to run two levels of firewalls as per their regulatory requirements and it is perfectly acceptable to operate both a classic and a next-generation firewall simultaneously. This may even be desirable during the migration phase to allow for the optimization of the next-generation firewall or to allow complete reorganization of the policy set taking into account the increased visibility and control offered by the new system.
Two prevailing trends in the Middle East IT industry have been the meteoric rise in the number of hacking attacks and the gradual shrinking of IT budgets. While these may often be look upon as unrelated concerns, through the adoption of innovative, all-in-one solutions CIOs can tackle both problems simultaneously. The bottom line is that organizations that fail to do so are at the risk of falling behind the competition. Next-generation firewalls are here to stay – be safe rather than being sorry!